Has your smart WiFi-enabled LED light bulb been hacked?

More and more gadgets and devices around the home are leaping on the Internet of Things (IoT) bandwagon, and getting connected to the net. But are vendors treating security as a priority?

That’s the question which has to be asked once again, after security researchers discovered a security weakness in a make of internet-enabled LED light bulb that can be controlled via a funky smartphone app.

When you watch the promotional video for LIFX’s multi-coloured energy efficient LED light bulbs you are left with the impression that they’re pretty neat.

But there must have been a few raised eyebrows, when researchers at Context published an analysis of security vulnerabilities in LIFX smart light bulbs, where they described how by gaining access to a “master bulb” they were able to control all connected bulbs, and expose user network configurations.

The encouraging news is that what the researchers from Context did was far from simple, and required them to physically take a LIFX smart bulb apart to access its printed circuit board (PCB) and reverse-engineer the device’s firmware.

Furthermore, any attacker would have to be in close proximity to their target rather than on the other side of the world meddling with the smart lighting via the net.

Armed with knowledge of the encryption algorithm, key, initialization vector and an understanding of the mesh network protocol we could then inject packets into the mesh network, capture the WiFi details and decrypt the credentials, all without any prior authentication or alerting of our presence. Success!

It should be noted, since this attack works on the 802.15.4 6LoWPAN wireless mesh network, an attacker would need to be within wireless range, ~30 meters, of a vulnerable LIFX bulb to perform this attack, severely limiting the practicality for exploitation on a large scale.

Fortunately, the Context researchers acted responsibly and informed LIFX of the potential security issue, and even helped them develop a fix which means that all 6LoWPAN traffic is now encrypted, using a key derived from the WiFi credentials.

In a blog post, the firm said that it was unaware of any users being affected by the security issue.

In rare circumstances the security issue could expose network configuration details on the mesh radio, requiring a person to dismantle a bulb, reverse engineer the debug connection and firmware, then be physically present with dedicated hardware within the bounds of your WiFi network (not from the internet). Eg. Someone hiding in your garden with complex technical equipment.
No LIFX users have been affected that we are aware of, and as always we recommend that all users stay up to date with the latest firmware and app updates.

LIFX has now issued a software update to its smart bulb firmware which is said to address the security issue.

It’s going to happen, whether we like it or not – all we can hope is that as a multitude of vendors begin to sell their household devices as internet-enabled that they give some consideration to customers’ security and privacy.

About The Author

Security analyst

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.
Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.